AWS Security
Die SlideShare-Präsentation wird heruntergeladen.
×
Hier ansehen
Empfohlen
Weitere Verwandte Inhalte
Diashows für Sie (20)
Ähnlich wie AWS networking fundamentals - SVC303 - Santa Clara AWS Summit (20)
Weitere von Amazon Web Services (20)
AWS networking fundamentals - SVC303 - Santa Clara AWS Summit
- 1. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.SU MMIT AWS Networkingfundamentals Matt Lehwess Principle Solutions Architect Amazon Web Services S V C 3 0 3
- 2. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT ?
- 3. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Let’stakeacloserlook AWS Region Availability zone 2Availability zone 1 Private subnet Private subnet Public subnet Public subnet VPC CIDR 10.1.0.0/16 + Expand + IPv6 Amazon VPC Amazon EC2 Instance B 10.1.1.11/24 Instance A 10.1.0.11/24 Instance C 10.1.2.11/24 Instance D 10.1.3.11/24 The Internet Amazon S3 Amazon DynamoDB AWS Lambda Amazon SQS Amazon SNS AWS IOT
- 4. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Woah, hold up…
- 5. SU MMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 6. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT IP addressing Creating subnets Routing in a VPC Security VPC concepts & fundamentals DNS in-VPC with Amazon Route 53
- 7. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Choosing an IP address range
- 8. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Choosing an IP address range for your VPC 172.31.0.0/16 Recommended: RFC1918 range Recommended: /16 (65,536 addresses) Avoid ranges that overlap with other networks to which you might connect
- 9. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Creating subnets in a VPC
- 10. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT VPC subnetsand Availability Zones 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet VPC subnet VPC subnet 172.31.0.0/24 172.31.1.0/24 172.31.2.0/24 eu-west-1a eu-west-1b eu-west-1c
- 11. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT IPv6 in your VPC • Can have a dual-stack VPC by adding an IPv6 CIDR • Fixed sizes for VPC and subnets: • /56 VPC (4,722,366,482,869,645,213,696 addresses) • /64 subnets (18,446,744,073,709,551,616 addresses)
- 12. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT VPC subnetsand Availability Zones 172.31.0.0/16 Availability Zone Availability Zone Availability Zone VPC subnet VPC subnet VPC subnet 172.31.0.0/24 172.31.1.0/24 172.31.2.0/24 eu-west-1a eu-west-1b eu-west-1c 2600:1f16:14d:6300::/56 2600:1f16:14d:6300::/64 2600:1f16:14d:6301::/64 2600:1f16:14d:6302::/64 + Expand
- 13. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Routing in a VPC
- 14. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Routing in your VPC • Route tables contain rules for which packets go where • Your VPC has a default route table • But, you can create and assign different route tables to different subnets
- 15. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Traffic destined for my VPC staysin my VPC
- 16. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT DNS in a VPC
- 17. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT VPC DNS options Use Amazon DNS server Have EC2 auto-assign DNS host names to instances
- 18. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Amazon Route53 private hosted zones Private Hosted Zone example.demohostedzone.org→ 172.31.0.99
- 19. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Amazon Route53 Resolver for hybrid clouds Route 53 Resolver endpoints Conditional forwarding rules
- 20. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Flow LogsNetwork Access Control List Security Groups Network security
- 21. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT “MyWebServers” security group “MyBackends” security group Allow only “MyWebServers” Security groups follow applicationstructure Web Web Web Web App App App IGW
- 22. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Security groups example: Web servers Allow HTTP traffic from anywhere
- 23. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Security groups example: Backends Allow applicationtraffic from web servers only
- 24. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Network security Flow LogsNetwork Access Control List Security Groups
- 25. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Security groups vs. NACLs Security group Network ACL Operates at instance level Operates at subnet level Supports allow rules only Supports allow and deny rules Is stateful: return traffic is automatically allowed regardless of any rules Is stateless:return traffic mustbe explicitly allowed by rules All rules evaluated before deciding whether to allow traffic Rules evaluated in order when deciding whether to allow traffic Applies only to instances explicitly associated with the security group Automatically applies to all instances launched into associated subnets Doesn’t filter traffic to or from link-local addresses (169.254.0.0/16)or AWS-reserved IPv4 addresses; these are the first four IPv4 addresses of the subnet (including the AmazonVPC DNS server)
- 26. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Network security Flow LogsNetwork Access Control List Security Groups
- 27. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT VPC Flow Logs AZ 2AZ 1 • Visibility • Troubleshooting • Analyze traffic Amazon S3 Amazon CloudWatch Logs VPC Flow Logs
- 28. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT VPC Flow Logs: Setup VPC traffic metadatacaptured in Amazon S3 or Amazon CloudWatchLogs
- 29. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT VPC Flow Logs format
- 30. SU MMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 31. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Internet connectivity Connecting to other VPCs Connecting to your on- premises network Connecting your VPC or not
- 32. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Internet connectivity or not
- 33. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT NAT Instance B 10.1.1.11/24 Instance BNAT-GW NAT-GW 0.0.0.0/0 AWS Region Availability Zone 2Availability Zone 1 Privatesubnet The Internet Privatesubnet Public subnet Instance A Public subnet Amazon S3 VPC CIDR 10.1.0.0/16 10.1.0.11/24 Instance C 10.1.2.11/24 Instance D 10.1.3.11/24 + Expand + IPv6 IGW 10.1.0.0/16 Local 0.0.0.0/0 IGW Destination Target 10.1.0.0/16 Local Destination Target EIP - 10.1.0.11 : 54.23.12.43 EIP - 10.1.1.11 : 54.19.12.23 Let’stakeacloserlook Amazon DynamoDB AWS Lambda Amazon SQS Amazon SNS AWS IOT
- 34. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Connecting to other VPCs VPC Peering Transit Gateway
- 35. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT VPC peering • Full private IP connectivity between two VPCs • Can peer VPCs across regions • VPCs can be in different accounts • VPC CIDR ranges must not overlap 10.0.0.0/16 10.2.0.0/16 10.1.0.0/16 10.3.0.0/16
- 36. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Establish a VPC peering: Initiaterequest Step 1 Initiate peering request 172.31.0.0/16 10.55.0.0/16
- 37. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Establish a VPC peering: Accept request Step 1 Initiate peering request Step 2 Accept peering request 172.31.0.0/16 10.55.0.0/16
- 38. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Establish a VPC peering: Create a route Step 1 Initiate peering request Step 2 Accept peering request Step 3 172.31.0.0/16 10.55.0.0/16 Traffic destined for the peered VPC should go to the peering
- 39. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT VPC Peering Transit Gateway and beyond… Connecting to other VPCs
- 40. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT VPNconnectionCustomer gateway Amazon VPC Amazon VPC AWS Direct Connect Gateway VPCpeering VPCpeering VPCpeering Amazon VPC Amazon VPCVPC peering VPN connection VPNconnection VPCpeering Before TransitGateway …
- 41. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT 1 3 2 4 B Local A C PCX-2 D PCX-3 E PCX-4 Destination Target A B C D E PCX-1
- 42. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Full mesh: How many Amazon VPC peering connections do I need (full mesh)? n(n-1) 2 VPC x 10
- 43. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Full mesh: How many Amazon VPC peering connections do I need (full mesh)? 10(10-1) 2 VPC x 10
- 44. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Full mesh: How many Amazon VPC peering connections do I need (full mesh)? VPC x 10 45
- 45. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Full mesh: How many Amazon VPC peering connections do I need (full mesh)? 100(100-1) 2 VPC x 100
- 46. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Full mesh: How many Amazon VPC peering connections do I need (full mesh)? VPC x 100 4500
- 47. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Static routes per Amazon VPC route table 100 Amazon VPC peering connections per Amazon VPC 125
- 48. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Transit Gateway Amazon VPCAmazon VPC Amazon VPCAmazon VPC Customer gateway VPN connection AWS Direct Connect Gateway (Coming Soon) With Transit Gateway …
- 49. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT B Local 0.0.0.0/0 Destination Target A B TGW C TGW 1 2 3 4 TGW Route Table (s) VPC A : Attachment 1 VPC B : Attachment 2 VPC C : Attachment 3 On-prem : VPN 4 RT1 RT2 On-Premises With Transit Gateway …
- 50. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Attachment The connection from a Amazon VPC and VPN to a TGW Association The route table used to route packets coming from an attachment (from an Amazon VPC and VPN) Propagation The route table where the attachment’s routes are installed
- 51. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Llama TGW X Y TGW Route Table (s) Associations RT1 Z Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 Barry from Z Barry from Z Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via Z 10.1.0.0/16 Local 0.0.0.0/0 TGW Destination Target 10.1.0.0/16 Local 0.0.0.0/0 IGW Destination Target 10.0.0.0/8 TGW
- 52. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Llama After: AWS Transit Gateway (TGW) TGW X Y TGW Route Table (s) Associations RT1 Z Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 Barry from Z Barry from Z Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via Z 10.8.0.0/16 10.9.0.0/16 10.8.0.0/16 via X 10.9.0.0/16 via X
- 53. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Llama TGW X Y TGW Route Table (s) Associations RT1 Z Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 Barry from Z Barry from Z Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via Z 10.8.0.0/16 10.9.0.0/16 10.8.0.0/16 via X 10.9.0.0/16 via X Propagation turned off, you can still statically configure routes
- 54. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Llama TGW X Y TGW Route Table (s) Z 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 O n - P r e m i s e s Q RT1 RT2 RT3 Associations RT1 Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X On-premfromQ Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 172.16.0.0/16 via Q Associations RT2 Propagations On-premfromQ Barry from ZBarry from Z Routes 172.16.0.0/16 via Q 10.3.0.0/16 via X Associations RT3 Propagations On-premfromQ Llama from X On-premfromQ Pegasus from Y Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via ZBarry from Z 172.16.0.0/16 172.16.0.0/16 via Q
- 55. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Llama TGW X Y TGW Route Table (s) Z 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 O n - P r e m i s e s Q RT1 RT2 RT3 Associations RT1 Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X On-premfromQ Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 172.16.0.0/16 via Q Associations RT2 Propagations On-premfromQ Barry from ZBarry from Z Routes 172.16.0.0/16 via Q 10.3.0.0/16 via X Associations RT3 Propagations On-premfromQ Llama from X On-premfromQ Pegasus from Y Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via ZBarry from Z 172.16.0.0/16 172.16.0.0/16 via Q Packet SRCLlama DSTOn-prem
- 56. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Llama TGW X Y TGW Route Table (s) Z 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 O n - P r e m i s e s Q RT1 RT2 RT3 Associations RT1 Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X On-premfromQ Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 172.16.0.0/16 via Q Associations RT2 Propagations On-premfromQ Barry from ZBarry from Z Routes 172.16.0.0/16 via Q 10.3.0.0/16 via X Associations RT3 Propagations On-premfromQ Llama from X On-premfromQ Pegasus from Y Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via ZBarry from Z 172.16.0.0/16 172.16.0.0/16 via Q Packet SRCLlama DSTOn-prem
- 57. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Llama TGW X Y TGW Route Table (s) Z 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 O n - P r e m i s e s Q RT1 RT2 RT3 Associations RT1 Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X On-premfromQ Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 172.16.0.0/16 via Q Associations RT2 Propagations On-premfromQ Barry from ZBarry from Z Routes 172.16.0.0/16 via Q 10.3.0.0/16 via X Associations RT3 Propagations On-premfromQ Llama from X On-premfromQ Pegasus from Y Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via ZBarry from Z 172.16.0.0/16 172.16.0.0/16 via Q Packet SRC:Barry DSTOn-prem
- 58. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Llama TGW X Y TGW Route Table (s) Z 10.1.0.0/16 Pegasus 10.2.0.0/16 Barry 10.3.0.0/16 O n - P r e m i s e s Q RT1 RT2 RT3 Associations RT1 Propagations Pegasus from Y Llama from X Pegasus from Y Llama from X On-premfromQ Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 172.16.0.0/16 via Q Associations RT2 Propagations On-premfromQ Barry from ZBarry from Z Routes 172.16.0.0/16 via Q 10.3.0.0/16 via X Associations RT3 Propagations On-premfromQ Llama from X On-premfromQ Pegasus from Y Routes 10.2.0.0/16 via Y 10.1.0.0/16 via X 10.3.0.0/16 via ZBarry from Z 172.16.0.0/16 172.16.0.0/16 via Q Packet SRCBarry DSTOn-prem
- 59. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT After: AWS Transit Gateway (TGW) – T he console
- 60. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT UnicornTGW This TGW is Awesome After: AWS Transit Gateway (TGW) – T he console
- 61. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT After: AWS Transit Gateway (TGW) – T he console
- 62. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT TGWs per account / TGW attachmentsper Amazon VPC 5 Maximumburstable bandwidth per attachment 50Gbps
- 63. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Maximumbandwidth per VPN connection 1.25Gbps *With ECMP, you can distribute traffic over multiple tunnels, e.g. 8 tunnels = 10 Gbps *
- 64. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Routes per TGW 10,000 Number of TGW attachments per region per account 5,000 !!!
- 65. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Cross region connectivity? TGW is a region-level construct today
- 66. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Connecting to on-premises networks: AWS VPN AWS Direct Connect
- 67. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT On premises IPsec Tunnel 1 - Primary IPsec Tunnel 2- Secondary Virtual private gateway VGW IPsec tunnel over the internet Customer gateway CGW The internet
- 68. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT On premises IPsec Tunnel 1 - Primary IPsec Tunnel 2- Secondary IPsec tunnel over the internet The internet Transit GW Customer gateway CGW
- 69. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Attachment to Amazon VPC TLS-based tunnel over the internet User with Open VPN Client Client VPN Endpoint Client The internet On premises Amazon S3 Amazon DynamoDB
- 70. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Connecting to on-premises networks: AWS VPN AWS Direct Connect
- 71. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Customeror partner cage Service Provider Network AWS Direct Connect—wha t’s that? AWS Region On premises AWS Direct Connect location AWS cage Cross Connect 10.0.0.0/16 192.168.0.0/16 Private VIF Public VIF VGW
- 72. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Customeror partner cage Service Provider Network AWS Direct Connect—wha t’s that? AWS Region On premises AWS Direct Connect location AWS cage Cross Connect 10.0.0.0/16 192.168.0.0/16 Private VIF Public VIF 10.2.0.0/16 VGW VGW Private VIF
- 73. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Customeror partner cage Service Provider Network AWS Direct Connect Gateway AWS Region On premises AWS Direct Connect location AWS cage Cross Connect 10.0.0.0/16 192.168.0.0/16 Private VIF 10.2.0.0/16 VGW VGW O n e P r i v a t e V I F → M a n y V P C s AWS Direct Connect Gateway
- 74. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Customeror partner cage Service Provider Network AWS Direct Connect Gateway AWS Region 1 On premises AWS Direct Connect location AWS cage Cross Connect 10.0.0.0/16 192.168.0.0/16 Private VIF 10.2.0.0/16 VGW VGW O n e P r i v a t e V I F → M a n y V P C s AWS Region 2 AWS Direct Connect Gateway
- 75. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Customeror partner cage Service Provider Network AWS Direct Connect Gateway AWS Account 1 On premises AWS Direct Connect location AWS cage Cross Connect 10.0.0.0/16 192.168.0.0/16 Private VIF 10.2.0.0/16 VGW VGW O n e P r i v a t e V I F → M a n y V P C s AWS Account 2 AWS Direct Connect Gateway Multi Account DX Gateway NEW
- 76. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT New Partner Connection Speeds 1, 2, 5, o r 10 Gb p s o f c ap ac it y https://amzn.to/2YtGNue Also NEW
- 77. SU MMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 78. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT VPC Sharing VPC endpoints and AWS PrivateLink …more AWS networking
- 79. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Amazon VPC Sharing Before
- 80. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT L l a m a 10.3.0.0/16 Pe g a s u s 10.2.0.0/16 B a r r y 10.1.0.0/16 I g u a n a 10.6.0.0/16 S t e v e 10.5.0.0/16 S ue 10.4.0.0/16 AWS Lambda Amazon EC2 Amazon RedshiftAmazon RDS Amazon EC2 Amazon EC2 Prod 1Dev Test Prod2 Prod 3 Prod 4
- 81. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Amazon VPC Sharing After
- 82. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT L l a m a 10.3.0.0/16 Pe g a s u s 10.2.0.0/16 B a r r y 10.1.0.0/16 I g u a n a 10.6.0.0/16 S t e v e 10.5.0.0/16 S ue 10.4.0.0/16 AWS Lambda Amazon EC2 Amazon RedshiftAmazon RDS Amazon EC2 Amazon EC2 Prod 1Dev Test Prod2 Prod 3 Prod 4
- 83. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT L l a m aPe g a s u s 10.2.0.0/16 B a r r y 10.1.0.0/16 I g u a n aS t e v eS ue AWS Lambda Amazon EC2 Amazon RedshiftAmazon RDS Amazon EC2 Amazon EC2 Prod 1Dev Test Prod2 Prod 3 Prod 4 Owner Participant Owner Participant Participant Participant
- 84. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Amazon VPC owners are responsible for creating, managing, and deleting all VPC level entities. Amazon VPC owners cannot modify or delete participant resources. Amazon VPC Owner
- 85. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Participants that are in a shared Amazon VPC are responsible for the creation, management and deletion of their resources including Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon RDS) databases, and load balancers. However, they cannot modify any Amazon VPC-level entities including route tables, network ACLs, or subnets (Or view / modify resources belonging to other participants). Amazon VPC Participant
- 86. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Why use multiple accounts?
- 87. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Why use Amazon VPC sharing? Preserve IP space U se fewer IPv4 CIDRs Interconnectivity No VPC Peering required Bi l l i n g a n d S e c u r i t y Co n t i n u e t o e n j o y se g r e gat i o n w i t h m u l t i p l e a c c o u n t s S e p a ra t i o n o f d u t i e s c e n t ral t e am c an c r e at e an d m an ag e y o u r A m a zo n VP C S a m e A Z c o st f o r d a t a t ra n sfe r i s n i l !
- 88. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT VPC endpoints Interface VPC endpoints Gateway VPC endpoints AWS PrivateLink
- 89. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT NAT Instance B 10.1.1.11/24 Instance BNAT-GW NAT-GW 0.0.0.0/0 AWS Region Availability Zone 2Availability Zone 1 Privatesubnet The internet Privatesubnet Public subnet Instance A Public subnet Amazon S3 VPC CIDR 10.1.0.0/16 10.1.0.11/24 Instance C 10.1.2.11/24 Instance D 10.1.3.11/24 + Expand + IPv6 IGWVPCE 10.1.0.0/16 Local 0.0.0.0/0 IGW S3.prefix.list VPCE-123 Destination Target 10.1.0.0/16 Local DDB.prefix.list VPCE-123 Destination Target EIP - 10.1.0.11 : 54.23.12.43 EIP - 10.1.1.11 : 54.19.12.23 Amazon DynamoDB VPCE = Virtual PrivateEndpoint (Type: Gateway)
- 90. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT VPC endpoints Interface VPC endpoints Gateway VPC endpoints AWS PrivateLink
- 91. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT Amazon API Gateway AWS CloudFormation Amazon CloudWatch Amazon CloudWatch Events Amazon CloudWatch Logs AWS CodeBuild AWS Config Amazon EC2 API Elastic Load Balancing API AWS Key Management Service Amazon KinesisData Streams Amazon SageMaker Runtime AWS Secrets Manager AWS Security Token Service AWS Service Catalog Amazon SNS AWS Systems Manager NAT Instance B 10.1.1.11/24 NAT-GW AWS Region Availability Zone 2Availability Zone 1 Privatesubnet Privatesubnet Public subnet Instance A Public subnet VPC CIDR 10.1.0.0/16 10.1.0.11/24 Instance C 10.1.2.11/24 Instance D 10.1.3.11/24 + Expand + IPv6 22+ services now supported over AWS PrivateLink ec2.eu-west-1.amazonaws.com ENI1: 10.1.0.15 ENI2: 10.1.1.23 ec2.eu-west-1.amazonaws.com ENI1: 10.1.0.15 ENI2: 10.1.1.23 AWS PrivateLinkcan reach public services, privately from yourVPC No routes needed! (almost) 10.1.0.0/16 Local Destination Target 10.1.0.0/16 Local Destination Target + More
- 92. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT How it works AWS PrivateLink Type: Gateway Type: Interface
- 93. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT VPC endpoints Interface VPC endpoints Gateway VPC endpoints AWS PrivateLink
- 94. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT And now AWS PrivateLink for service providers Customer VPC Service Provider VPC Application, e.g. SaaS NLB AWS PrivateLink VPC Endpoint: vpce-2222.foo.amazon.com
- 95. SU MMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
- 96. © 2019, Amazon Web Services, Inc. orits affiliates. All rights reserved. SU MMIT NAT Instance B 10.1.1.11/24 Instance BNAT-GW NAT-GW 0.0.0.0/0 AWS Region Availability Zone 2Availability Zone 1 Privatesubnet VGW VPC Peering VPC Flow Logs VPN The internet Privatesubnet Public subnet Instance A Public subnet Amazon S3 VPC CIDR 10.1.0.0/16 10.1.0.11/24 Instance C 10.1.2.11/24 Instance D 10.1.3.11/24 DXGW + Expand + IPv6 IGWVPCE 10.1.0.0/16 Local 0.0.0.0/0 IGW S3.prefix.list VPCE-123 On-premises VGW VPC-B PCX-123 Destination Target Intra or Inter region 10.1.0.0/16 Local S3.prefix.list VPCE-123 On-premises VGW VPC-B PCX-123 Destination Target AWS PrivateLink Service Provider VPC NLB On premises VPC-B EIP - 10.1.0.11 : 54.23.12.43 EIP - 10.1.1.11 : 54.19.12.23 Let’stakeacloserlook Amazon DynamoDB AWS Lambda AWS Direct Connect Amazon SQS Amazon SNS AWS IOT Amazon CloudWatch AWS PrivateLink Transit GW Onpremises AWS PrivateLink Enabled Services Other Routes TGW Other Routes TGW Amazon S3
- 97. Thank you! SU MMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Matt Lehwess mlehwess@amazon.com
- 98. SU MMIT © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
